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Abstract: This paper formulates the authentication planning problem when 
network coding is implemented in a wireless sensor network. The planning 
problem aims at minimizing the energy consumed by the security application 
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Planification pour la securisation d'un codage en 

reseau 



Resume : Les reseaux sans-fil sont particulierement vulnerables aux attaques 
par pollution dans lesquelles un attaquant externa est capable d'envoyer ces 
propres messages sur le reseau. Pour pouvoir detecter de telles attaques L la 
destination, un code d'authentification (MAC: Message Authentication Code en 
anglais) est rajoute L chaque paquet. Un noeud intermediaire peut verifier la 
validite d'un paquet de faDon L limiter la portee de transmission d'un paquet 
pollue dans le reseau. Dans le cadre d'un reseau fortement contraint en energie 
tel qu'un reseau de capteurs, le probleme du deploiement d'une strategic de 
securisation du reseau par MAC se pose. En efFet, la consommation energetique 
du reseau sera fortement influencee d'une part par le type de MAC utilise dans le 
reseau et d'autre part par le choix des relais du reseau qui verifieront le code des 
paquets avant de les retransmettre. Nous nous interessons plus particulierement 
au cas ol le reseau de capteurs utilise une transmission par codage reseau de 
par sa plus grande vulnerabilite aux attaques par pollution. Ce type de reseau 
necessite I'emploi de MAC dedies (lineaires). 

Dans ces travaux, nous proposons une formulation combinatoire du probleme 
de planification de la securite. Dans cette formulation, nous minimisons I'energie 
totale consommee par le reseau securise pour la transmission d'un paquet par 
source dans le reseau. Les variables sont les decisions d'authentification binaires 
des noeuds. Nous illustrons ce modele pour un reseau papillon pour lequel 
differentes distributions des probabilites d'attaque sur les liens sont considerees. 

Mots-cles : Reseaux de capteurs, codage reseau, securite, message authenti- 
cation codes, planification, optimisation 
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1 Introduction 

Network coding [Illl] are particularly vulnerable to pollution attacks [3] where 
an outsider adversary injects his malicious data. Indeed, network coding spreads 
the pollution by combining legitimate messages with polluted ones and therefore 
limiting the recovery probability of legitimate messages. Message authentica- 
tion has to be ensured for end-to-end communications between any source and 
destination of the network. Pollution attacks can be defeated using message 
authentication codes (MACs). The primary goal of MAC is to prevent an ad- 
versary to tamper with the messages (substitution) and to forge its own messages 
(impersonation). A keyed cryptographic digest of the message, which can be 
ciphered or not, is appended to the message. The message is authenticated suc- 
cessfully if the destination is able to compute the same keyed signature than the 
one appended to the message, knowing the secret key shared with the emitter. 
A comprehensive survey of MAC can be found in [3]. In this paper, we make 
an extensive use of MAC based on universal hash functions (UHF-MAC) [5]. 
Such functions may exhibit linearity which is particularly suited for network 
coding and they have been used in past works |BHH] to thwart pollution attacks 
systematically by each node of the network. 

In contrast to previous works [5HS] , this paper addresses the problem of ef- 
ficiently planning an authentication service for an energy constrained wireless 
network. A topical example is wireless sensor networking (WSN) whose security 
deployment has to guarantee low energy expenditure [3]. It is used as a case 
study herein. The security planning problem resumes to determining which 
nodes are going to authenticate the messages and which authentication strate- 
gies are the most energy efficient to deploy. We assume that the designer has 
some information on the distribution of the threat in the network. For instance, 
he may know that part of the network belongs to a trusted perimeter where 
security risks are low. Threat is modeled in this work with a probability of 
attack for each link of the network. A binary optimization formulation for the 
authentication planning problem is derived. Optimal solutions with respect to 
energy are provided and analyzed for a butterfly network topology with respect 
to various scenarios of attack. 

The paper is structured as follows. Section [2] states the problem and Section 
13] derives the according optimization model. Section Ogives energy optimal roll 
out strategies for the butterfly network and Section [5] concludes the paper. 

2 Authentication planning problem 

In this paper, we only consider the case of XOR network coding [2] and not 
random linear network coding. 

2.1 Attack topology 

Pollution attacks are committed on the links of the network G. The number 
of links attacked and their location define an attack topology A. We consider 
that the designer may not have a complete knowledge of the location of the 
attack at any point in time. Hence, he may have a confidence level in a link 
depending on its location in the network. For instance, links located inside of 
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Table 1: Energy performance of basic authentication strategies for a uniform 
attack topology. 





Security maniac 


Naive strategy 


Authentication planning 


Authenticating 
Nodes 


All relays + 
Destinations 


Destinations 
only 


Optimal selection w.r. 
threat + destinations 


Objective 


Detect threat asap 


Limit unnecessary checks 


Minimize energy 


Low threat 
(small p) 


Energy wasted for 
unnecessary checks 


Quasi energy 
optimal 


Energy optimal 


High threat 
(high p) 


Quasi energy 
optimal 


Energy wasted for 
forwarding polluted messages 



a trusted perimeter may have a higher confidence while the ones outside have 
a lower confidence. This feature is modeled using a probability of attack pij on 
a link of the network which is defined as the probability of a message of 
being attacked on (i,j). 





(a) 

Figure 1: Butterfly network and attack topology. 

An attack topology A is defined by the distribution of the probabilities of 
attack for all the links of the network (see Fig. [1]). For instance, this topology 
can be uniform and in this case, all links are attacked with the same probability 
p. Topology A may as well model an attack localized on a single link (i,j). In 
this case, A is composed of a single non-null probability of attack pij. 

2.2 Authentication strategies 

The purpose of this paper is to derive a model that yields the energy optimal 
authentication strategy knowing an attack topology ^ on a network G perform- 
ing XOR network coding. An authentication strategy is defined by the subset 
of nodes that authenticate the messages and the modes of UHF-MAC used 
(presented later in this section). 

First of all, it is important to note that the sources generate the messages 
with their corresponding digests and that the destinations always verify what 
they have received. Consequently, the destinations are always able to disregard 
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polluted messages. These checks are mandatory and their cost in energy is 
incompressible. 

For all relaying nodes other than the destinations, we have a degree of free- 
dom: they may or not authenticate the messages. This may incur a certain 
authentication cost in energy at the relays. As shown in [S] performing verifi- 
cation is as energy expensive as sending plus receiving a message. However, in 
some cases it may be beneficial to the overall network energy performance since 
polluted messages are not uselessly forwarded towards the destination. In the 
case of network coding, it will also prevent the creation of polluted combination 
and preserve the throughput. 

In terms of security planning, two extreme strategies are often considered. 
On the one side, the security maniac strategy emphasizes on detecting an attack 
as soon as possible, limiting the pollution in the network. All the relaying nodes 
authenticate the messages as considered in [3l|6l[7]. Unnecessary verifications 
can lead to a waste of energy. On the other side, the security naive strategy 
considers that an end-to-end authentication is sufficient and that there is no 
need to empower relays with authentication capabilities. Forwarding polluted 
messages incurs both a same energy waste and a throughput reduction. 

Intermediate strategies are possible to improve the energy and throughput 
performance. Table |4] resumes all strategies. Finding optimal strategies is the 
aim of this work which can be achieved by solving an optimization problem. 
More specifically, we define the authentication planning problem that minimizes 
the overall energy consumption of a WSN knowing its topology, the network 
coding rules, the authentication MAC modes and the attack topology existing 
in the network. 

2.3 MAC schemes 

It has been established by Apavatjrut et al. in [S] that MACs based on the 
classical primitives that are block ciphers or hash functions imply an energetic 
cost too important for the relaying nodes of a WSN. The same observation holds 
for the underlying primitives (exponentiation) used in [7]. On the opposite, 
MACs based on UHFs [6j[8] offer more flexibility for the authentication if we 
use an e-almost XOR universal hash (e-AXU) function h is (see [S] for more 
details). The most interesting property for our problem is the linearity of these 
functions: h{mi) © h(m2) ~ h{mi © 7712) with mi and m2 two n-bit messages. 
We voluntarily skip the details related to this function as they are not essential 
to understand the core of this paper (see [Hl|5] for further details). 

Exploiting the linearity is particularly interesting for authentication in the 
context of network coding. Let us consider a node in the network who has to 
combine (XOR) £ messages and their corresponding authentication codes. A 
MAC based on e-AXU function offers three possibilities for authentication: (i) 
the node authenticates each message individually, combines (XOR) the valid 
ones and computes the authentication code of this sum. Then, the message is 
forwarded. We refer to this mode of operation by AXF throughout the paper. 
The AXF mode requires i verifications, i.e. i computations of the MAC. (ii) 
The node checks that the sum modulo two of the authentication codes is equal 
to the authentication codes of the sum modulo two of the messages. By doing 
so, it exploits the linearity of the MAC to reduce the authentication to a single 
computation of the MAC. We refer to this mode of operation as XAF. The 
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drawback of the XAF is that the node forwards a message if and only if the £ 
incoming messages are not poUuted. (iii) The node can also simply forward the 
sum modulo two of messages alongside the sum modulo two of the authentication 
codes. Any verification is delegated to other nodes. We refer to this mode of 
operation as XF. 

3 Optimization model 

The authentication planning problem is formulated in the following using a 
binary integer program. 

3.1 Network model 

We assume that the network topology is known. The network is modeled using 
a directed acyclic graph G{V, £) having vertex set V and edge set f C V x V. 
Without loss of generality, V = {1, 2, ... , |V|}. For each node i G V, A/i and Xfi 
are the sets of edges leaving from and the set of edges going into i, respectively. 
Formally A/^ - G £} andP, = {{f,t)\{j\i) S £}. 

A set of sources O and destinations V is defined. Since we address the WSN 
case, O is the set of sensors having data to report in multicast to the I'D] sink 
nodes and we consider I'D] << \0\. Source and destination nodes do not relay 
the information. As a consequence, the network we are modeling is composed 
of a set of relay nodes TZ = V \ {0 UT>). In the following, we consider that the 
number of relays in the network is A^ = |7?,|. So far, we do not consider any 
propagation losses and assume a perfect channel transmission. 

The vertices V are partitioned into two groups of nodes: a subset TZc G TZ 
of relays performing XOR network coding and TZf ^ TZ \ TZc which are simply 
forwarding messages. Knowing G(V,f), simple rules are set to define TZc and 
TZfi the coding relays have more than one edge coming into them (i.e. |jVi| > 1) 
while forwarding-only relays TZf are characterized by a single incoming edge (i.e. 

1^1 = 1). 

The binary quantity Ci G {0, 1} is fixed to differentiate nodes of TZc per- 
forming network coding from nodes of TZf that are simply forwarding messages. 
Hence, for any node i G TZc, c,; = 1 and for i G 7?./, = 0. 

Attack topology Security threats are modeled in G by a valuation pij on 
edge (i, j) G £. The set of all valuations A = {Py |(*, j) 6 £} defines an attack 
topology. We assume that the attacks are independent on the edges of the graph. 
The attack topology is considered as being known by the network designer. In 
this setup, energy optimal security strategies can be derived as shown in the 
following. 

The following optimization model captures the impact of the previously de- 
scribed MAC strategies on the overall energy consumption of the network. 

3.2 Optimization variables 

Authenticate variable Any node in TZ may or may not authenticate mes- 
sages, whether this node is a coding or a forwarding-only node. Let Xi G {0, 1} 
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be the first main binary variable of this model, li Xi ~ 1, node i authenticates 
each incoming message while if Xi = 0, it never authenticates. 

If a node authenticates a message (i.e. Xi = 1), it has two opposite effects 
on the overall energy consumption: 

• more energy is spent by the authentication process, 

• but energy for forwarding polluted messages is saved. 

MAC mode of operation As shown earlier, XAF and AXF modes do not 
yield the same energy consumption. Let rui £ {0, 1} be a binary variable that 
gives the mode of authentication used by a coding node i G TZc- If 'm-i = 1, 
we have XAF and if nii = we have AXF. This variable can be interpreted 
as whether the XOR operation is done before authentication (m^ = 1 ; XAF 
mode) or after authentication (m^ ~ ; AXF mode). 

Node and network authentication strategy The node authentication strat- 
egy Si is defined for any coding node i G TZc by the tuple Si ~ (xi,mi,Ci) and 
for any forwarding-only node i G TZf hy the pair Si = {xi, Ci). Table [2] gives the 
correspondence between the possible tuples and the MAC modes of operation 
for any coding and forwarding-only node. For forwarding-only nodes, the value 
of mi is undetermined since no XOR step is performed. 

The network authentication strategy ^ is defined by the set of node authen- 
tication strategies for all nodes of the network ^ = {5,;, Vi G TZ}. 

Table 2: MAC modes and corresponding security strategies 



Node security strategies 


Coding node 


AXF 
XAF 
XF 


[xi = 1, mi = 0, Ci = 1) 
{xi = 1, mi = 1, Ci = 1) 
{xi = 0, = 1, Ci = 1) 


Relay node 


AF 
F 


{xi = 1, Cj = 0) 
{xi = 0, Cj = 0) 



3.3 Forwarding decisions 

We define the forwarding decision of a node i as the probability that this node 
decides to transmit a received message. Let /i G [0, 1] be the forwarding proba- 
bility of node i. If authentication is performed by node i, this decision is positive 
if no polluted message is detected. This decision is a direct consequence of the 
node authentication strategy Si {xi, mi) and the probability of a polluted mes- 
sage to arrive from a direct neighbor node k to node i. 

Let define Pfc^ as the probability of a polluted message to arrive at node 
i coming from node k. This probability is a function of node authentication 
strategy Sk, the forwarding decisions and the attack probabilities related to all 
the paths between the sources s G O and i going through k. Its derivation is 
given after the forwarding decision description. 
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The forwarding decision fi of node i depends on its node type q. The global 
formulation of fi is: 

/. = (l-c,)-A^+c.-/f (1) 

where ff and ff are the forwarding probabilities for the case node i is a for- 
warding or a coding node, respectively. 



Forwarding node For i e 7?,/ (c; = 0), the forwarding decision is function 
of Xi and Pki- If cii ~ 0, the node simply forwards every received message and 
hence fi = 1. Else {xi = 1) the node forwards with probability /i = (1 — 'Pki) 
which represents the probability of an unpolluted message to arrive in i. The 
forwarding probability for the case = is derived as: 

= (l-a;,)+x,(l-PfcO (2) 



Coding node For i £ TZc (cj = 1), the forwarding decision depends on the 
MAC strategy. For the case of AXF, a node forwards a message if at least 
one of its incoming messages is non-polluted which happens with probability 
l^rifcgXr '^'^i- ^'-'^ ^^^'^ '^^^^ of XAF, a message is forwarded if all messages XOR- 
ed together are non-polluted which happens with probability Ilfcgj7:(l ~ Pfci) 

A closed-form derivation of the forwarding decision for any type of node of 
the network is given by: 



m, Y[il Pfc<) + (1 - m,){l - II Pfc,;) 



(3) 



The pollution probability P^.^ A message coming into node i from a neigh- 
bor node can be polluted for two reasons: i) node k sends a message that is not 
polluted and the message gets polluted on the link between k and i following 
the local probability of attack pki on (fc, i) ; ii) node k forwards a message that 
is polluted (this is only the case if node k does not implement an authentication 
function, i.e. Xk = 0). 

For the case Xk ~ 1, node k authenticates and the pollution probability 
is equal to P^^ = fk ■ Pki, which is the probability that node k forwards an 
unpolluted message and that it can only be polluted by an attack on link (fc, i). 

For the case Xfc = 0, node k cannot detect if it forwards a polluted message 
or not. Hence, the probability for the message sent by k to be polluted depends 
on the previous history of the message in the network. Hence, it is derived 
recursively knowing the values of the forwarding and attack probabilities on all 
paths coming into node k. In this case, P^^ = 1 — (1 — pki) ■ Wi^^X^ ~ P;fc)i 
where JligXr^-'^ ^ Pifc) is the probability for a message to arrive in k without 
being polluted on the links coming into k. 

A global formulation of P^^ with respect to Xk is given by: 

Pkt = fk [xk ■ Pki + 

{l-Xk)- \{ (1-Pife) 
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For the case fc = s e 0, Pgi ~ psi since fs — 1. 

Pollution and forwarding probability Since the network is a directed 
acycUc graph, there are no loops in the network and the values of the pollu- 
tion and forwarding probabilities exist and can be derived for any node of the 
network. The causal dependency between the definitions of these probabilities 
is rooted in the network coding of the messages originating from different paths. 
In order to compute fi for node i, the pollution probabilities on all its incoming 
links {PfeijVfc € Xfi} are needed. These values depend on the forwarding prob- 
abilities of the intermediary nodes that belong to the existing paths joining the 
source nodes to i. 

We consider first the case of a layered network where the network is divided 
into layers of nodes. The sources are connected to nodes of layer one but not 
to nodes of layer 2, nodes of layer 1 are connected to nodes of layer 2 but not 
to nodes of layer 3, etc. In this case, pollution and forwarding probabilities can 
be computed layer by layer. For layer 1 nodes, Fgi ~ pai and fi is deduced 
using ([T]). Then, P^j is computed according to ^ for layer 2 nodes and fj is 
derived according to ([T]) for layer 2 nodes as well. The process is repeated until 
the destination layer is reached. This iterative algorithm can be extended to 
support the case of a more general DAG, but for conciseness purposes, it is not 
presented herein. 

3.4 Energy cost function 

The energy cost function J-e{Ci counts the energy spent for the end-to-end 
transmission of one message sent by the sources s e O to their destinations Vs 
for a specific network authentication strategy (or solution) ^: 

^e{0 = ^o(C) + :Fn{0 + :ft>{0 (5) 

where J-o{£.): J'uiO ^^^'^ J'viO are the costs in energy relative to the energy 
expenditure of source nodes, relay nodes and destination nodes, respectively. 

Table 3: Energy costs (xlO^^J) for the atomic actions. Values are given for 
the transmission of one message. 



Emission 


Qt 


0.556851 


Reception 


Qr 


0.7995405 


Authentication (UHF-MAC) 


Qa 


1.686154 


XOR of 2 messages 


QxOR 


0.00003135 



The costs in energy for the atomic actions are listed in Table [31 They have 
been collected in |1] using the WSim/eSimu energy estimation tool [TO] for a 
TI MSP430 based platform and a Ti CC2420, 802.15.4 compliant, radio device 
similar to TelosB nodes. It is worth mentioning that one authentication is as 
expensive as a combined message emission and reception. 

The cost related to the transmission of a message by the source nodes is 
directly proportional to the number of sources Fo = \0\ ■ {Qt + Qa)- The 
cost related to the reception of a message by the destination nodes depends 
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on the number of messages Nd destination d will receive from its previous hop 
neighbors: 

where iV, 

The derivation of the energy consumption for all relays in the network is 
given by: 

•^TC = ^ [N^ -Qr + Xi- TA{ci,mi) + fi ■ Qt] 
ien 

The function J-A{ci, mi) gives the energy consumption of authentication with re- 
spect to the type of node (coding or forwarding) and the MAC mode considered. 
It is defined by: 

FA{ci,mi) = Ci ■ [QxoR ■ (Ni - 1) + 
• QxAFii) + (1 - m,) ■ Q^xf (*)] + (1 - c^)Qa ■ Pf"' 

where QAxrii) and QxApii) are the costs for authenticating a message using 
AXF and XAF, respectively Pp'^ = 1 - Uketf i^ - fk) is the probability of 
node i to receive at least one message from its one hop neighbors. 

XAF has the cost of authenticating a single message (QxApii) ~ Qa ■ Pf '^'^) 
since it is performed on the XOR-ed version of the incoming messages. QAxrii) 
is a function of the number of messages received at node i since each incoming 
message is authenticated individually. It is derived as QAXpii) = Qa ■ Ni 

3.5 Optimization problem definition 

We recall that 7?. is a set of N relays of c = \TZc\ coding and N — c forwarding 
relays. The security •planning problem can be formulated by the binary integer 
program as follows. 
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mill J^e{0 



s.t. ft : 



c 



ki 



s,, = 



Vien 



(1 - Xi) + Xi 



(l-m,)(l- W Ph 
/fc [xk ■ Pki + 



(i-xk)- \ i-{i-Pk,)- n (1-P«0 



{s,,yi e n} 

(c„a;,)e {0,l}x{0,l} 
rrii e {0, 1} 

Pfcz e [0,1] 



Vi G7e 

Vi G Tic 
V(z,j) Gf 



The solution set has a cardinality of 3"^ • 2 The energy cost is not linear and 
hence, the problem is not an binary linear program. 



Table 4: Description of the six solutions for the butterfly network 



Strategy 


{xc,mc) 


Xd 


Description 


(XF ; F) 


(0,-) 





C, D forward only 


(XF ; AF) 


(0,-) 


1 


Authentication on D only 


(AXF ; F) 


(1,0) 





AXF on C only 


(XAF ; F) 


(1,1) 





XAF on C only 


(AXF ; AF) 


(1,0) 


1 


AXF on C, Auth. on D only 


(XAF : F) 


(1,1) 


1 


XAF on C, Auth. on D 



4 Results 

The security planning problem is illustrated for the butterfly network (cf. Fig.[T]). 
C is a coding node and D a forwarding relay. The six network authentication 
strategies are given in Table 01 For instance, the first strategy (XF ; F) is the 
security nai've strategy where neither C nor D are authenticating. On the op- 
posite, the two last entries are security maniac strategies where both nodes are 
authenticating. 
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Energy optimal solution 
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8 
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4 
2 



(AXF ; F) 
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Energy optimal solution 
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(XAF ; F) 



0.2 0.4 0.6 0.8 1 

Attack probability p on links [A, C) and (C, D) 



20 
18 

16 



>-> 14 



PJ 
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10 

8 

6 

4 

2 



(AXF ; F) 



(AXF ; AF) 



(XF ; AF) 



(AXF ; F 



(XAF ; F) 

- Energy optimal strategy 

Energy optimal with best throughput 

I I I I 

0.2 0.4 0.6 0.8 

Uniform attack probability p 



Figure 2: Energy optimal strategy with and without best throughput constraint 
with respect to attack probability p when 1, 2 and 3 links are attacked. 
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Figure 3: Average probability to receive non-polluted messages for energy op- 
timal strategies with and without best throughput constraint with respect to 
attack probability p when 1, 2 and 3 links are attacked. 
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In this analysis, we only consider attack topologies that involve the links 
{A,C), {B,C) and {C,D) since attacks on other links can only be detected by 
destinations E and F. We describe three scenarios of attack: 

• The attack targets a single link. Since the network is symmetrical, only 
the cases of an attack on links {A, C) and (C, D) are relevant. We chose 
to show the results for an attack on link {A, C). 

• The attack targets two links. Again, only the cases where attacks are on 
the pair of links (A, C)/(i?, C) and (A, C)/(C, -D) can be considered for 
symmetry purposes. The results related to the (A, C)/(C, D) pairs are 
presented here. We assume that the attacks on both links arise with the 
same probability (i.e. pAc =Pcd ~p)- 

• The attack targets the incoming links of the relaying nodes. In this case, 
all three links are attacked with the same uniform probability (i.e. pAc = 

PBC =PCD =p)- 

The results related to the energy optimal strategies are given on Fig. [5] and 
Fig. El Fig. [2] presents the total energy spent Fe{£,*) by the optimal strategy ^* 
with respect to the attack probability p on the link(s) targeted by the attacker. 
Two cases are considered. In the first one, we look for the energy optimal strategy 
which minimizes total energy following the problem defined in Section |3l In the 
second case, we show the performance of the energy optimal with best throughput 
strategy which looks for the strategy that maximizes the throughput at minimal 
energy. 

Throughput is measured in our case by the average probability Pth for both 
destinations E and F to decode the messages of A and B. Destinations can 
decode messages from A and B if they are non-polluted. If authentication is 
performed at coding node C, this probability depends on the MAC mode. For 
AXF, this probability is higher than for XAF because messages that are not 
polluted are always forwarded. A general expression for the butterfiy network 
is Pth 0.5 • /c ■ (1 -Pcd) [2 " PAC - Pbc], where /c = 1 -PAC -PBC for AXF 
and fc = (1 — pAc)(l ~~ Pbc)- Fig. [3] gives the values of Pth with respect to 
the attack probability p for the energy optimal and energy optimal with best 
throughput strategies. 

Results show that strategies that minimize the number of forwarded mes- 
sages are the most energy efficient ones. AXF never belongs to an energy optimal 
strategy because the energy cost of verification is high but also because it trans- 
mits more messages. However, this is the only MAC mode that mitigates the 
spread of pollution induced by network coding. As a first conclusion, if through- 
put guarantee is the main concern, energy has to be spent for authentication by 
using AXF. 

When the probability of attack is low, the strategy where C and D simply 
forward messages is the most energy efficient since there are no security checks. 
However, when p increases, more energy can be saved by authenticating mes- 
sages at the relays. For instance, for a single attack on {A, C) and p > 0.24, 
strategy (XAF;F) saves more energy because D does not relay combined mes- 
sages that are polluted. For high p, XAF mode on C provides the minimum 
energy but drastically reduces throughput. Consequently, for small p, the energy 
optimal strategy is to be favored because the loss of throughput is less important 
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while for higher p, more energy-consuming modes of MAC have to be considered 
to favor throughput. 

5 Conclusions and Perspectives 

This paper formulates the energy efficient authentication planning problem for 
XOR network coding. It formulates the problem as a binary non-linear opti- 
mization problem that minimizes the overall energy consumption of the secured 
network. Optimal roll-out of security-enabled nodes can be deduced together 
with their appropriate MAC mode. Results for the butterfly topology exhibit 
the trade-off between energy efficiency and throughput of non-polluted messages 
as a function of the MAC mode considered. 

Determining optimal security roll-outs should now be done for larger net- 
works. In this context, exhaustive search is not scalable and proper optimization 
tools need to be derived in future works. A relaxed version of the problem can 
be formulated where the binary authentication variable becomes a message au- 
thentication probability. In this case, we move from a hard decision to a soft 
decision model, which could be easier to solve. A multiobjective optimization 
approach could be considered as well in order to find the Pareto bound maximiz- 
ing network throughput and minimizing energy expenditure. This work opens 
several perspectives as well. Extending this study to the case of random linear 
network coding is important for future work. Similarly, the definition of dis- 
tributed algorithms that converge to energy efficient authentication strategies 
is a practical result of interest. 
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